Several Sites Defaced
3rd Update: Update with more details of the incident from The Register itself: http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/ (thanks Alex)
2nd Update: The root problem appears to be mitigated now. However, many DNS servers now have bad results cached. Please flush the cache of your recursive DNS servers.
Host names and IP addresses to watch:
ns1.yumurtakabugu.com. or 68.68.21.195
ns2.yumurtakabugu.com. or 68.68.21.196
ns3.yumurtakabugu.com. or 68.68.21.197
ns4.yumurtakabugu.com. or 68.68.21.198
IP Address used as A record for affected domains: 68.68.20.116
In particular IP addresses may change at any time. Please keep watching them and remove from blocklist as appropriate.
---
There have been several widespread defacements reported to us today. It appears their DNS name server entries all point to the same thing as seen below:
ups.com. 85621 IN NS ns1.yumurtakabugu.com.
ups.com. 85621 IN NS ns2.yumurtakabugu.com.
ups.com. 85621 IN NS ns4.yumurtakabugu.com.
ups.com. 85621 IN NS ns3.yumurtakabugu.com.
Here are a few examples of the sites so far:
ups.com
theregister.co.uk
acer.com
telegraph.co.uk
betfair.com
vodafone.com
nationalgeographic.com
The one commonality is they all appear to be all registered via ascio.com
More details as we learn more.
UPDATE: This IP is hosted by BlueMile. We have contacted them and they are aware of the situation and working on it.
Comments
My machines using OpenDNS are seeing the proper addresses.
Paul
Sep 4th 2011
1 decade ago
Ryan
Sep 4th 2011
1 decade ago
Dshield
Sep 5th 2011
1 decade ago
Jason
Sep 5th 2011
1 decade ago
I don't think the OP was suggesting the registry was hacked, as otherwise nobody would have 'good' records.
Consequently, DNSSEC would help this problem, as that's it's primary function.
Dom De Vitto
Sep 5th 2011
1 decade ago
Classicplatforms dot com?
I cannot get to them,
That's not normal.
Ol'Bud
Sep 5th 2011
1 decade ago
I got to Classicplatforms
Ol'Bud
Sep 5th 2011
1 decade ago
"It appears that the turkish attackers managed to hack into the DNS panel of NetNames using a SQL injection and modify the configuration of arbitrary sites, to use their own DNS (ns1​.yumur​tak​abugu​.com and ns2​.yumur​tak​abugu​.com) and redirect those websites to a defaced page."
Alex
Sep 5th 2011
1 decade ago